Solved

w2k system error 5721

Posted on 2003-11-18
23
678 Views
Last Modified: 2008-01-09
I noticed the following problem a few days ago & I can't think of any reason why it would have  suddenly started.

When logging onto the domain with a domain controller (WINS server) I get the message - At least one service or driver failed to start during system startup. The system log is reporting Error 5721 - The setup session to the windows nt or windows 2000 domain controller <unknown> for the domain DOMAINNAME failed bacause the domain controller does not have an account for the computer COMPUTERNAME.

When I try to net view the main domain controller (by that I mean the 1st dc in the domain) I get a system error 5 - Access is Denied.

I have looked on the main domain controller and noticed there is no trace of the WINS server in DNS, AD Users & Computers or AD Sites & Services, it's as if it's vanished!!

I thought about removing the server from the domain using dcpromo, it goes as far as to try and remove AD then reports - The operation failed because : The specified domain either does not exist or could not be contacted.

I need this domain controller working as it previously has been, any help would be most appreciated. Thanks.

0
Comment
Question by:bugie1981
  • 10
  • 6
  • 6
23 Comments
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9771101
Are you sure the computer account it gone?  Try adding it's computer account back in the domain manually from Users and Computers.  You will need to get the GUID of the missing DC to plug into the new account.  You can get it from the CMOS I think or use a script to get it.  Here is one that worked for me:

Dim SystemSet

 

Set SystemSet = GetObject("winmgmts:").InstancesOf ("Win32_ComputerSystemProduct")

 

For Each SystemItem In SystemSet

  szUUID = SystemItem.UUID

  If szUUID = "FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF" Then

    MsgBox "No system UUID could be found. This system does " & _

           "not appear to support Intel's Wired For Management " & _

           "specification. This script will now try and retrive " & _

           "a MAC based UUID.", vbInformation, "Not WFM capable"

    boolWFMCapable = 0

  Else

    InputBox "Successfully retrieved a system UUID, " & szUUID & _

             ". This UUID has been placed in the text area below " & _

             "for your convenience.", "WFM Capable", szUUID

    boolWFMCapable = 1

  End If

Next

Cut and paste this into a text file and call it GUID.vbs, then run it

It should give you a number like "FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF"

0
 
LVL 5

Expert Comment

by:ralonso
ID: 9771111
Are you just missing the consoles? or the applications as well?

Initially I'd tell you to install the administrative tools (in the CD i386\adminpak.msi)

Another approach would be to open AD users and computers from another DC. Then try to connect to the "failed" DC (if you right-click in the domain name, there's an option to change the DC that you are viewing info from)

If you check the "services" admin tool, are WINS, DNS, etc in there? what about task manager. Are all this services running?
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9771337
This article best describes it but it's more for an NT domain:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;160324

0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9771352
You would by chance have a backup of the "System State" would you?
0
 

Author Comment

by:bugie1981
ID: 9771626
Thanks for you replies.

Yes the computer account was definatley gone. If I add the computer account manually from users & computers no NTFRS subscriptions appear. Also if I add the account to Sites & Services there are no NTDS settings appearing.

I tried the vbs and I have the list of numbers from the script, thanks for that.

What do I do with this now?

I have checked out the microsoft info and as you say it is mainly pointing to NT4. But I'll have another look to see if can help.

I don't have a backup of the "System State".
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9771777
Dang, no System State.  That would have been nice.  When you added the account, select the checkbox that says "This is a managed computer" and then enter in the GUID.  I've never tried this but it's your best option if you don't have the sys state, other than formatting.  There might be a manual removal procedure of AD, but I wouldn't trust it
0
 

Author Comment

by:bugie1981
ID: 9772013
Trust me the System State is getting backed up on all my servers once I have this resolved!

I know the managed window you mean where you have to enter the GUID/UUID but...
 
When I add the account in users & computers the only info I can specify is Computer Name, Computer Name (Pre 2k) & whether I want pre 2k computers to use this account. I only have the OK or CANCEL options whereas to get to the managed window I need next. I don't know why I haven't got this option, could it be because I'm still running mixed mode.

Do you know if the GUID can be entered after the computer account has been created?
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9772033
I don't think so.  Have you tried accessing the network now that the account is there?  I don't think things will be back to norm until you demote and promote, I was just thinking that doing this might let you demote it now.
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9772086
now that you recreated the account and it should be in the Domain Controllers OU, have you tried to right click on the machine name (from AD users and computers) and "reset account"? it may resync the SID

just a blind guess
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9772277
Ahh, I think I found it.  From the PDC, Start -- Run -- srvmgr
This has an option for adding a BDC, once it's added, goto Site and Services and replicate it to the other servers
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9772279
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 5

Expert Comment

by:ralonso
ID: 9772394
maybe I'm getting lost, but you had a windows 2000 DC that is no longer in AD.

You cannot remove AD, and you are not recognised as part of the domain either.

have you tried to boot in Directory services restore mode and use ntdsutil
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/ntdsutil.asp

to perform some cleanup and uninstall completely AD?

I believe that once you have cleaned up AD, you should be able to rejoin the domain and install AD again.
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9772478
(this procedure may distroy your active directory)

Do you have backup of the C drive of your main server??

If so, you could do something. It's a bit tricky but it could work:

1 - make a backup of the system state of your main server

2 - start the main server in Directory services restore mode.

3 - Restore the files in c:\winnt\ntds from a backup when the AD was fine

4 - Restart the server

At this point you should be running the machine with the old AD settings, and your failed server should be able to connect, otherwise just restart in DS Restore mode and restore the system state.

If the second server reconnected, uninstall AD from the server while both are online and remove it from the domain.
Restart the main server in DS Restore mode and restore the system state.
Rejoin the domain with the second server and eventually reinstall AD.

A bit risky but may work.
If your server is just DC and WINS... reinstall it. It'll be quicker and safer :(

0
 

Author Comment

by:bugie1981
ID: 9777306
The problem is still the same but I haven't taken into account the last 4 comments. Time difference is a bitch! I'll take that info on board guys and try each in turn. I'll get back to you asap to let you know how I get on. Cheers.
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9779513
I agree with Ralonso about saving time by reinstalling... but if you really don't want to and you still can't clear AD manually with ntdsutil, remove it from the network and use ntdsutil to seize the roles.  If that works, delete all the other domain controllers from AD and then try demoting with dcpromo.  You'll need to click the checkbox that says "This server is the last domain controller in the domain".  If that works, knock it down to a workgroup, then you should be able to reconnect it to the network and rejoin.
0
 

Author Comment

by:bugie1981
ID: 9779626
reinstallation isn't an option, the server holds numerous databases and applications that are being used around the WAN, it's imperitive to our users. I like the sound of the last comment from Popeyediceclay and I'm going to give that a go, unfortunately I'm going to have to wait until the end of the working day before I take the server down. I'll let you know how this one turns out as soon as I'm done. Thanks again
0
 

Author Comment

by:bugie1981
ID: 9781122
I took the server off the network & cleared the AD down so that I could claim it was the last server in the domain. The AD installation failed giving me a message -

This is not the last domain controller in the domain, The server is not willing to process.

I then had an idea to shut down the faulty server and add a new w2k server to the domain with the same computer name & IP address as the faulty one. This was done successfully.
 
The main dc now has NTDS settings, NTFRS subscriptions & a DNS record for the server.I then shut down the new server & fired up the old faulty one.  

The server dropped into the domain no problem and seems to be doing it's job, I can now access the main dc without error. Problem being it has very little (& incorrect) data in AD.

I thought a depromotion and repromotion would resolve this but when I tried running dcpromo I get "The specified domain controller either does not exist or could not be contacted".

Reluctantly it looks like I am going to have to reinstall. Can I do this without losing data or is it a case of backing up the data, formatting, reloading windows and then restoring the data?

That would be a nightmare as it hosts my sql database and it the domains WINS server, plus it's raid5.

0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9781155
sounds like there is still entries for other server in the database, did you clear them out with ntdsutil?  How bout siezing the 5 roles?
0
 
LVL 3

Accepted Solution

by:
Popeyediceclay earned 250 total points
ID: 9781206
You could also try siezing the roles to the new server first.  As for losing data, you may have some ownership problems with your SQL database once you set it back up.  I'm not the SQL expert, you may want to post that question in the SQL section.  If you reinstall, just don't change the disk config or format any partitions.  The WINNT folder will be erased so any data in there will be gone.  Use NTBACKUP to ensure you dont lose anything, definitely backup the WINNT at least.
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9782858
can you try to reset the failed DC's account from AD users and computers and force a replication of AD?

does your event viewer display any error message in the AD log?
0
 
LVL 5

Assisted Solution

by:ralonso
ralonso earned 250 total points
ID: 9782960
try the commands in
http://support.microsoft.com/default.aspx?scid=kb;EN-US;316829

particularly:
The following line shows the syntax of the Repadmin command that you use to perform the synchronization:
repadmin /sync <Naming Context> <Dest DC> <Source DC GUID> [/force] [/full]

The following line is an example use of this command:
repadmin /sync DC=domain,DC=root good_DC dc1 122a5239-36b3-488a-b24c-971ed0ca8a46 /force /full

In the example command,
"DC=domain,DC=root" is the domain naming context.
"good_DC" is the destination DC. This is the good partner that will receive the updates.
The DSA GUID is the replication GUID for the restored DC. You can get this by running Repadmin /showreps on the restored server. The GUID is listed at the top under "DC Object Guid".
If the synchronization is successful, you receive the following message:

Sync from 122a5239-36b3-488a-b24c-971ed0ca8a46 to Good_DC completed successfully.


Repeat the process for the configuration naming context by using a command similar to the following:
repadmin /sync cn=configuration,DC=domain,DC=root good_DC dc1 122a5239-36b3-488a-b24c-971ed0ca8a46 /force /full

The problem is not likely to be solved after you do this. After you do this, install the hotfix or demote and then promote the domain controller to solve the problem.
0
 

Author Comment

by:bugie1981
ID: 9809864
Hi guys. I've been away for a few days which is why the late reply. After trying everything, nothing has worked to the way I want it. I am going to format the server and rebuild it from scratch. I would like to share the points between you both as your info has helped me alot.

How do I go about sharing the points? As this is the first time I have asked a question on this website.

Thanks Again.  
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now